WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: Rohyt Belani <rohytbelani () hotmail com>
Date: 29 Jan 2004 17:07:34 -0000
In-Reply-To: <310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net> An easier solution to prevent XSS attacks might be to HTML encode the "<" and ">" characters as < and >. So even if they are accepted as input from the user, it would not result in the execution of a script like <script>...</script>.
=E3=82=AA=E3=83=9E=E3=83=AB =E3=82=A4=E3=82=B9=E3=83=9E=E3=82=A4=E3=83=AB= <isumai-u () is aist-nara ac jp> wrote:I would like to know that how you deal with the false positive? In the case of " <img src=3D "javascript: preview(....)> or <img =src=3D"javascript:window.close()>..etc..etc.. If you escape the "(" and ")" that means you render out the harmless =Javascript too.I'm not sure if I've understood the issue, so pls correct me if I'm wrong= =2E You would not escape *every* '<' or '(' in the html page. You would only esca= pe those which come from user-supplied inputs in the first place. I assume t= hat the harmless calls to preview() and window.close() are *not* user supplie= d inputs, but part of the html page template. So, there shouldn't be false positives escaping '(' and ')' from content that came from user-supplied inputs. Thanks, Sangita.
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)